Clarify which string value is used when setting SVGAnimatedString's baseVal #961
Comments
@lukewarlow pointed out that this probably not true. Forging the toString() won't make a difference, https://w3c.github.io/trusted-types/dist/spec/#trustedhtml-stringification-behavior will be used and so this will use the extracted data. I guess we should do the same for the ones using SVGAnimatedString |
|
@lukewarlow As I read the current text, I added more tests in to cover this (as well as href on non-script elements) where we don't want to run the TT checks: https://phabricator.services.mozilla.com/D233341. Luckily, Gecko implements Chromium fails for "Assign string to SVGScriptElement.className.baseVal.", so it indeed executes the trusted type check for class name. |
The corresponding paragraph is https://svgwg.org/svg2-draft/single-page.html#types-InterfaceSVGAnimatedString
Trusted type integration was made in https://github.com/w3c/svgwg/pull/934/files but I can't see the changes in the live version.
As I see, SVGAnimatedString is currently in multiple places:
The steps for setting baseVal call "set the reflected attribute to value" which I believe corresponds to this algo which accepts a string. For SVGScriptElement, "value" is set to the result of Get Trusted Type compliant string. But for other cases, it's set to the "specified value" which can be a
TrustedScriptURL. Probably we should be more explicit and say we extract data as in https://html.spec.whatwg.org/#tt-trustedhtml-dataNote that in the case of a TrustedScriptURL with a forged stringified, that means setting these properties (e.g. className) would behave differently from properties only accepting a string.
cc @lukewarlow
The text was updated successfully, but these errors were encountered: